Having worked around financial crimes for a number of years, I noticed they seemed to be on the rise.
One reason for this is technology, which grows more rapidly than laws designed to protect us from it.
Although the blog is a resource to educate people on identity theft, it also strives to educate the common person on the rapidly growing problem of crimes enabled (made too easy) by technology and the Internet.

Tuesday, November 28, 2006

Anyone noticed that spam is filling up your inbox? No, it's not your imagination, experts are saying the volume has increased up to 300 percent -- depending who you talk to.

As usual - in the technology versus technology battle - the bad guys seem to have defeated a lot of the countermeasures (spam-filters) that have been developed in recent years.

If you would like to see all the technical explanations, Network World did an excellent article with links to previous articles, here.

According to the Network World article, a certain Amichai Inbar a.k.a. John Che Blau and Jonathan Blau is behind a lot of it (operating out of Tel-Aviv).

I'm sure there are those developing additional countermeasures - which will be made available at a price - but I have a better idea. Use existing laws to take away Mr. Inbar's "ill-gotten proceeds" and put him and all his friends where they belong (prison).

Once they start taking away all the "ill-gotten proceeds," there would probably be plenty of it to fund additional legal actions!

So far as countermeasures being developed to meet this latest threat, history dictates that in a matter of time, they will be obsolete, also.

It probably wouldn't be hard to find the "spam kings," they don't seem to be hiding in caves on the Pakistani/Afghani frontier.

In fact, according to Spamhaus - the largest point of origin by far is the United States.

Perhaps, Microsoft is setting the example (after themselves being attacked for years) and taking legal action.

In my opinion, Microsoft is leading the way towards an effective resolution of this problem.

Here is an interesting site from "Ban Spam," with International contacts on where to report spam (broken down by all the different scam variations and countries).

The more spam that is reported provides valuable intelligence to those, who are taking legal action to stop it.

Monday, November 27, 2006

First gypsies impersonate Dr. Phil and now someone is selling tickets to the Oprah show that smell a little "phishy."

Illinois Attorney General, Lisa Madigan warned the public in a official statement:

In this case, e-mail recipients are asked to submit personal information and told they will receive tickets to The Oprah Winfrey Show after verification of certain financial information and/or the wiring of money to an unknown third party. However, according to Harpo Productions, Inc., The Oprah Winfrey Show does not sell tickets or ticket travel packages to fans. Consumers should disregard any e-mail that purportedly comes from The Oprah Winfrey Show offering show taping tickets for a fee.

No one is reporting any cases of identity theft yet, however one this is certain; wire money to anyone for Oprah tickets and you are going to lose out!

Tickets to watch a taping of the Oprah show are free!

Fraudsters and Phishermen love to have money wired to them - because once it's picked up - it belongs to them and there is nothing the sender can do about it.

Of course, the personal information harvested from this phishing attempt might be for sale in underground forums (chat-rooms). More on this, here.

Please note that "unsolicited" requests for personal and financial information via the Internet are scams, no matter how official they might seem. Fake "official looking" websites - including banking sites - are all "too" common in the "sometimes" murky waters of the Internet.

For more on this, you can read the release from Attorney General Madigan's office, here.

The press release mentions information on where to report this scam at the bottom of the release (link above).

In November, in another case, there were more arrests in three Indian cities - 6 skimmers, laptops, a desktop and cards were seized.

The activity was facilitated with the collusion of waiters and shop-keepers.

According to my "source," more card-skimming has been uncovered and the Indian authorities are hot on it's trail. We can probably expect to see a few more criminals arrested in the not so distant future.

Until recently, cloned cards were normally sent in the mail from other destination points in Asia.

Recently, the news media was awash with stories of information being compromised at call centers in India. The industry and the government in India have quickly moved to enact legislation to counter this threat.

The stories got a lot of attention (probably because it happened in India), but in reality, information and data breaches are happening (with too much frequency), worldwide.

India seems to be proactive (refreshing) in taking legal measures, which are far more effective that technological countermeasures, to protect it's citizens and the industry, itself.

Saturday, November 25, 2006

Black Friday has come and gone and now we have Cyber Monday to look forward to. Cyber Monday was coined by the National Retail Federation because it represents one the largest e-commerce shopping days of the year.

While shoppers search the Internet for all the "deals" that will be offered, another element - the cyber criminals - will be offering "goods and services" at too good to be true prices.

If we are to believe recent statistics, the cyber-criminals will be out there in force.

Phishing is a leading cause of identity theft and financial crimes, where someone receives an e-mail appearing to from be a legitimate company (normally financial institution). In the e-mail, instructions are contained to click on a link leading to a fake website, where the goals is to con someone into giving up information (personal and financial).

Auction fraud has also grown to the point that it now is the number-one complaint filed with the Internet Crime Complaint Center or IC3. Internet auctions have become a popular place to buy Christmas gifts.

And a massive bot-net of "zombie" computers designed to attack in-boxes across the world has been seen forming on the horizon to facilitate the "holiday attack." Anyone noticed how many spam e-mails are getting past your spam filters lately? The speculation is that these will be to perform phishing expeditions, and or spread other scams.

The National Consumers League and the National Cyber Alliance offer the following tips, here.

Government sources are also great places for information on how to protect yourself from cyber-criminals.

The Federal Trade Commission has a lot of great information on how to protect yourself and report suspected criminal activity, here. And not to be outdone, the FBI covers a lot of these crimes and has a place where they can be reported, here.

The TimesOnline article also mentions that the UK is a staging ground for a lot of the stolen merchandise, which are proceeds of auction fraud.

According to the article, the activity also enables the criminals to return (easily) should they get caught:

Suspected Nigerian fraudsters, who have been deported in exchange for charges against them being dropped, are re-entering Britain using forged travel documents and resuming their activities, according to the study.

Other suspects are absconding and disappearing because, unless they are accused of crimes involving more than £50,000, they are being released on bail.

I wonder how many of them get bailed out on a stolen identity, assume another one, and go right back into business?

We seem to see story after story about what a huge problem counterfeiting has become. One of the main reasons is that technology makes it easy to do, and if anyone is caught, the consequences are minimal.

It's true that the article is about activity in the United Kingdom, but the problem isn't contained to the British Isles.

And Nigeria isn't the only place counterfeit documents are being made.

Asia has also been a reported "source" for a lot of counterfeiting. For instance, it's widely believed that North Korea has been flooding the world with "supernotes" (counterfeit $100 bills) that are almost impossible to tell from the real thing. Wikipedia article, here.

If you read through the article, it tells of ties to terrorist organizations and organized crime syndicates.

Thursday, November 23, 2006

I got another one that makes a lot of sense, which is to think carefully before spending money you don't have this weekend. Since tomorrow is "Black Friday," the biggest shopping day of the year, the timing is appropriate.

In their own words (or maybe I should say the words of the consumer):

Just as the holiday season gets ready to kick into high gear, Consumers Union is warning shoppers about the increasing number of credit card traps that can trip up consumers and lead to spiraling debt. To help get out the message and mobilize support for reform, the group is releasing "It's Always Christmas Time (For Visa)," an animated satire that takes aim at abusive credit card fees and practices.

"You can find yourself buried in debt if you aren't careful to avoid the credit card gotchas," said Michelle Jun, Staff Attorney for Consumers Union. "Too many credit cards are designed to get you in debt and keep you there."

“It’s Always Christmas Time (For VISA)” is a lighthearted take on the unexpected fees, interest rate hikes, and misleading contracts that are contributing to high credit card debt in the U.S.

After viewing the animation, viewers can send an email to Congress asking lawmakers to support credit card reforms. To view the animation, click on www.CreditCardReform.org.

Consumers enjoy few protections when it comes to credit cards and there are an increasing number of ways they can be penalized with fees or get stuck with higher interest rates:

Universal default: Your interest rate can skyrocket if your credit score declines because of your behavior with other creditors even if you always pay your credit card on time and never miss a payment. Some card issuers will raise your rate if you inquire about a car loan or open a new credit card.

Change of terms: Credit card terms keep changing. Read the fine print and chances are you’ll find this disclosure: “We reserve the right to change the terms (including the APRs) at any time for any reason.” A fixed rate is fixed until the bank gives you at least 15 days notice that it isn’t. If you want to keep your account open, you’ll pay the higher new rate on your existing balance.

Teaser rates: That low rate you signed up for expires suddenly and you end up paying more. A temptingly low introductory rate can climb to 30 percent or more. - more -Minimim payment: If you pay the minimum payment every month, you’ll end up paying a lot more than what you charged and you could be on the hook for a very long time.

On time payment: Card issuers are systematically mailing statements closer to the due date, giving customers less turnaround time. You can be hit with a late fee even if the payment is mailed on time. The average fee for a late payment has more than doubled in the past decade.

Double cycle billing: Finance charges are usually calculated using the average daily balance. If you alternate between paying off and carrying a balance, you’ll end up paying more interest.

Cash advance/convenience checks: The interest rates on these are higher than your credit card.

Penalty interest and fees: Late payments can raise your interest from 7% to 27%! Rather than rejecting charges that exceed your credit card limit, issuers today often let them go through but then charge a hefty fee -- as high as $39.

Fees, fees, and more fees: As if the penalties weren’t enough, you pay more fees for paying by phone or charging abroad. You may have to pay a fee to receive what used to be free year-end summary statements.

Balance transfer switcheroo: Transferring a balance from an account with a high APR to another one with a lower interest rate could come at a high cost. Any payments you make are typically applied first to the lowest rate balance. So while the credit card company uses your payment to quickly pay off that 0 percent transfer balance, you are piling up interest on purchases, at say, 18 percent. Multiple balance transfers will hurt your credit score.

I write about fraud from a victim's perspective, and I've often lamented on why it seems insane to keep writing-off not only monetary losses (passed on to everyone), but "seemingly," the millions of victims created by the not very secure handling of people's personal information.

People need to learn to be responsible when using credit - but that's hard to do - when credit card companies issue (too) large lines of credit to new customers and even send pre-approved offers to family pets (this actually happened at my house). My daughter had been using the dog's name when registering on certain websites.

It's not hard to see why so many are up to their necks in debt before they realize what happened, or why there is so much credit-card fraud. It all boils down to too much bad debt that eventually has to be compensated for.

I recently blogged about how sending mass-mailings of pre-approved credit card offers is dangerous to the recipient's financial health. There seems to be a trend of making it too easy to get credit and not paying enough attention to the consequences of doing so.

Perhaps, what is needed is a new era of responsibility? Bad debt is an expense on any financial statement and the quest to keep expanding customer bases has led to an environment of "robbing Peter to pay Paul." Since the issuers would go out of business if they weren't profitable, revenue streams are added to cover it, and "more."

And guess who ends up paying for it?

In my opinion - should we fail to address the problem soon - the bottom is likely to "fall out" sometime in the future and that isn't going to be a "good thing" for the credit-card- issuers, or their customers.

Rob Caskey - who is buySAFE's marketing guru - sent me this interesting survey they conducted. What's interesting about the survey is that takes the fear of Internet fraud beyond bogus financial instruments and identity theft to a more basic level.

The survey reveals that the average person fears they won't get the product received, or get something other than what was represented. And if you consider all the variations of auction fraud on the Internet, this is what normally happens to the average customer when they are defrauded.

And - after all - when we go shopping the goal is to have a pleasant experience and get something we want. We don't want to have to constantly worry about getting ripped-off.

Here is what the press release from Market Wire had to say:

On the brink of Black Friday – the biggest shopping day of the year - identity theft and credit card fraud are not the only issues causing consumers to abandon their online shopping carts this holiday season. A recent survey by online trust and safety company buySAFE, Inc. (www.buysafe.com) and online market research service Insight Express revealed that respondents are almost equally concerned with the possibility of non-delivery or receiving something different than promised. These concerns – along with concerns about the trustworthiness of the retailer, quality of merchandise, and shipping costs -- are amplified when shoppers are considering buying from smaller, independent online retailers.

There is no doubt that there are a lot of hard-working and "honest" sellers on the Internet, who have been hurt by all fraud that takes place on auction sites. In fact, according to the experts, auction-fraud seems to be the number-one complaint these days.

From legitimate accounts being taken over by phishing (eBay and PayPal are the two most targeted brands) to a wide-array of counterfeit and stolen goods being sold, consumers face the real fear of getting ripped-off when buying an item.

I had a conversation with another person who writes about fraud on the Internet recently, and we both agreed that the average Internet customer almost needs to become a "fraud expert" to ensure they aren't going to be "taken advantage of."

buySAFE has created it's own "niche" in the market by ensuring a seller is legitimate and giving their customers the "peace of mind" that they are dealing with a legitimate and "trusted" retailer.

Although the service isn't free to sellers (customers don't pay anything), it protects the average person from all the fraud we hear read about in the e-commerce world. So far as the honest sellers - who have been damaged by Internet fraud (consumer confidence) - it lets everyone know they are a "trusted source."

For the smaller seller and the person out there in search of a "good deal," the service allows them to focus on their primary goals (selling and shopping) and it leaves the "worrying" to someone else, (buySAFE).

buySAFE has a couple of bloggers on their team (who I've had the opportunity to correspond with) and I've found more than one interesting insight about e-commerce when reading them.

buySAFE, Inc. is the leading trust and safety company for e-commerce transactions. buySAFE qualifies merchants, identifies reputable online businesses with the buySAFE Seal, and uses surety bonds to provide broad protection for individual buyers from online transaction risks. The buySAFE bond is backed by Liberty Mutual, Travelers, and ACE USA for up to $25,000, and boosts consumer confidence for lesser-known online retailers, allowing them to compete with the big, established brands. buySAFE has issued more than 9.5 million surety bonds on individual online purchases. There are currently more than two million items bonded with buySAFE that can be found at www.buysafeshopping.com. buySAFE is headquartered in Arlington, Virginia. More information can be found at http://www.buysafe.com/.

After finishing my most recent post about skimming devices placed on BP point-of-sale systems in the UK, I read an article in Computer World about what might be the latest large data breach.

Jaikumar Vijayan writes:

Several financial institutions last week canceled thousands of credit and debit cards in Michigan because of fraud concerns related to an apparent data compromise at a convenience store chain, highlighting the wide effect that retail security breaches can have.

Jaikumar's story states that Wesco, a retailer, is suspected as being the point-of-compromise. Of course, Wesco isn't admitting this and merely states that the matter is under investigation.

Office Max was the suspected point-of-compromise in another case last fall and to the best of my knowledge - they never admitted to being involved. Dollar Tree and Sam's Club have also recently been suspected as being points-of-compromise in breaches, where large amounts of credit/debit card information were compromised.

Why are hackers targeting retailers? The answer might be that large amounts of account information - including PINs (personal-identification-numbers) - are being maintained in databases, which are poorly protected and therefore easily compromised (hacked).

In his story, Jaikumar interviewed an expert from Gartner (Avivah Litan):

It also wasn’t clear how the data might have been breached. But four out of five data compromises involve security breaches at point-of-sale systems, said Avivah Litan, an analyst at Gartner Inc. The POS systems at convenience and grocery stores, as well as gas stations, can be especially vulnerable because of a lack of IT security awareness and resources, Litan said.

Much of the exposure results from merchants connecting their POS terminals to IP-based networks, Litan said. Often, such systems store magnetic stripe data from cards and have default passwords that can be easily hacked, she added.

The Payment Card Industry security standard explicitly prohibits the storing of magnetic stripe data on POS systems. But retailers continue to do so, and many POS applications store the data by default, Litan said.

The problem is that the retailers never admit to being breached, the banks give out limited information when asked about it, and it appears that there are too many companies not following the Payment Card Industry Data Security Standard.

Perhaps the problem is that Payment Card Industry Data Security Standard isn't being enforced and the consequences are lacking for those in violation of it. At a minumum, shouldn't these companies be prevented from doing electronic payments by the industry?

Even if a lot of the losses are being written-off, they are normally passed on to everyone in the form of increased fees, interest rates, or in the case of retailers - higher prices. Despite this, there are also people that are denied compensation, especially if they fail to be timely in filing a claim; or a PIN was used and they can't tie it into a known breach.

With the amount of data-breaches, it's often difficult to figure out where any particular person's information was stolen from.

If the Payment Card Industry can't clean up their own backyard, perhaps it's time for some government inquiries into why so much information is being compromised?

Even without government intervention, there is the matter of consumer confidence to be considered. Consumer confidence is what makes businesses thrive, and a lack of it can be a disaster for all of those involved.

I'm sure there are retailers protecting their information properly, and the ones who aren't give everyone a bad name.

Police in the United Kingdom are calling an ATM skimming case, one of the biggest of it's kind. ATM skimming is where a debit-card's magnetic stripe is counterfeited (cloned) and the PIN (personal identification number) is compromised - normally with a hidden camera.

Official's estimate the fraud has already netted about $4.5 million and the counterfeit cards have been used in 19 countries and five continents.

According to the story published in the SundayMirror.co.uk:

The scam was uncovered after police launched an investigation - codenamed Operation Turner - after receiving 560 complaints. Detective Sergeant Dick Bollard, who is leading the probe, said: "This is one of the biggest scams of its kind. It's a very large and complex investigation which is expected to take a considerable amount of time.

"The investigation is ongoing and we are looking into a number of leads in the UK and abroad." A spokesman for trade organisation APACS, which helps banks fight fraud, said: "These scams have involved copying a card's magnetic strip and in cases filming a driver keying in a PIN number by using some sort of hidden camera.

And the UK isn't the only place that is having problems with debit-card skimming at gas stations. A similar case happened at Arco stations in California and there have been many other instances, worldwide.

BP owns Arco in the United States.

Although a lot of skimming is attributed to devices being placed on (self service) point-of-sale terminals and ATM machines, there has been recent evidence cards are also being cloned after databases have been hacked at retailers.

Some who investigate this believe that the people behind this intentionally hold on to the stolen information before using it to frustrate investigative efforts that would discover their techniques, or operations. In some recent cases, the authorities could only speculate, which of the known breaches, an individual person's information was stolen in.

It pays to keep an eye on your card to make sure it isn't being swiped more than once.

There's probably not much an individual person can do when entire databases are compromised, but an individual can shield their PIN when using their debit card (strongly recommended).

At least if they don't have your PIN, they can't get cash; however they might still be able to use the card number for signature based, or e-commerce transactions. Note that credit-cards are cloned for the same purpose.

Last, but not least - debit cards don't offer the same protection as credit cards do. If you expect to recover your money, the allowed time frame to file a claim is a lot less than with a credit card.It's a good idea to watch your statement carefully.

If you would like a more visual demonstration of how skimming occurs, Visa has a pretty telling page (portable devices), here.

Flickr has a link to a public group pictures of ATM machines, including skimming devices, here.

There are a lot of eyes out there (customers and employees) that might spot a suspicious device - if you do - never touch it and make sure you report it to law enforcement (immediately). Since the activity normally occurs in public (retail) spaces, an educated individual could very well make the difference in cracking one of these cases. Remember that anyone near the device - no matter how official they look - might be involved, themselves.

At first, I thought "here we go again," but in reality -- there are probably thousands of laptops that have disappeared in the private sector that were never made a public record via the "Freedom of Information Act."

In fact - in a lot of the data breaches observed - the breached seem to disclose as little as possible. I wonder if we know about every data-breach that might have occurred?

Articles about missing laptops compromising "millions" make good stories, but in reality, laptops are a desirable item and get stolen all the time. It's entirely possible they are bought and sold on the black market and even used by criminals, who are clueless of their "information value."

I predict sometime in the near future, we'll see a story on information was compromised by the theft of a smart phone. They're pretty easy to steal and (desirable), also.

Again - with the amount of personal information being stolen and used in financial crimes - who knows? Some "expert" will argue that none of it has been used and the criminals using it are unlikely to comment.

No matter where it comes from, the astronomical increase in identity theft, clearly indicates that a lot of information is being compromised - whether stolen from a laptop, garbage can, or via malicious software, sometimes referred to as crimeware.

I had to chuckle recently when some "security experts" observed that in most identity theft cases, the information compromised came out of trash cans. Whether they are right, or wrong - the information sent in mass mailings starts in a database - sold for a profit and printed on a computer.

The only difference is the method of mail being used. Trust me, the Postal Inspection Service investigates a tremendous amount of fraud that is sent via snail mail and mail fraud is nothing new.

We see technology fixes, which are highly publicized, but seem to have short lifetimes after "saavy" criminals defeat them. An example of this is the "chip and pin" technology - which seemed to be compromised in no time at all on older ATM machines.

There are still a lot of older ATM machines to be used.

I've also seen "experts" blame people for not keeping their virus protection up-to-date, or falling for social engineering schemes. Are they to blame for e-commerce sites that are easily faked and complete "do it yourself" scamming kits routinely available on the Internet?

An entire security industry has grown up around this problem and if you want protection - which doesn't always work - you need to line someone's pockets. In fact - in many instances - you not only have to line their pockets once, but you also have to pay for all the countermeasures that are developed when their measures are defeated.

Businesses love income streams.

Then there are the faux providers of protection, which can lead to more information being sifted from your computer if you happen to download their "fixes." It's very difficult for most consumers to determine - who is reputable and who is not - when their ads are right next to each other on the Internet.

Sadly enough - one of the solutions has been to offer "identity theft insurance," which means that people are being asked to finance their own protection. A lot of this is being sold by the same people, who are buying and selling all the information that caused the problem in the first place.

We need to address to the real issue, which is there is too much information out there that is "poorly protected" and easily accessed for "dubious purposes."

Please note that I'm not advocating that people don't need identity theft protection, or to protect their systems. Virus protection, firewalls and identity theft protection are probably good things to have in the current enviroment we are dealing with.

And I'm not saying all the "experts" are wrong. Trust me, a lot of them are hard working, thoughtful and dedicated people trying to make a difference. The problem is that money can buy a lot of experts and those using and abusing people's personal information have plenty to spend.

We need to stop believing that technology can cure the problem and realize we are dealing with a social issue. The bottom line is that a lot of sensitive personal information is being poorly protected and too many people are being victimized by the use of it.

Since so much money is being made by making "sensitive information" too easy to access, the people making a lot of money are resistant to change. Until we make it less profitable for them to continue "enabling" the problem, the problem isn't going to disappear and is likely to grow.

If the people enabling the problem are "resistant to change," perhaps the answer is to create laws to protect the innocent and make it a little harder for the guilty to do business as usual!

Blaming victims for something they didn't cause is getting a little old!

Thursday, November 16, 2006

It seems the "artists" (Artists Against 419) are planning an offensive against Internet scammers this weekend.

They are inviting people to see what this is all about and participate if they wish.

In their own words:

Welcome to the Fifteenth Flash Mob!

Three years doesn't seem like a long time in the grand scheme of things. But in that time, aa419 has grown into a major anti-fraud force on the internet. A quick look at our database will tell you why -- we have identified more than 10,000 fake web sites in that time, and shut almost all of them down.

We're proud of finding and blacklisting all these scammers, but we're even more proud of working with hosters to get their sites offline. And to accomplish this, we rely on a fantastic group of volunteers, some of whom have killed hundreds of scam sites all on their own!

Listen to our Radio 419 broadcast during the flash mob, and join us in chat. We will be holding live tutorials throughout the Flash Mob, and this is an excellent chance for you to learn the nuts 'n' bolts of fake bank killing!

In case you didn't already know - 419 is the Nigerian Penal Code for advance fee fraud - which victimizes millions of unsuspecting people. The artists have very detailed descriptions of all the variations on their site.

The people behind this consider themselves "artists" because they trash fraudulent bank sites - also have a wonderful sense of humor - which is evident on the site, itself. All humor aside, the site is also an excellent place to learn how Internet scams work, and more importantly how to safely navigate "dangerous waters," while surfing.

Wednesday, November 15, 2006

I recently did a post wondering if sites reselling gift cards would create an additional avenue for dishonest people to commit fraud. After all - gift card fraud - isn't new and eBay limits the sales of them on their sites because of the criminal activity associated with them.

The main reason eBay limited the sales on their site was pressure from the retail industry, or so I've read.

Fraud committed against retailers costs billions, and it's added into the "cost of goods sold," which means we are all paying higher prices because of it. There is a limit to being able to add the price of fraud into the cost of an item (competition) and when this happens, businesses fail.

A lot of people have lost their jobs when retail fraud couldn't be controlled.

In response to my original post, Joe LaRocca, Vice President of Loss Prevention for the National Retail Federation was kind enough to send me some links illustrating how big a problem this has become.

In November, the NRF released information that estimates retailers will lose $3.5 billion during the holiday (Christmas) season - link here.

Many retailers issue gift cards versus cash for refunds (especially when no receipt is present) and fraudsters sell them for cash. Joe provided me with an interesting link on this (story and video clip) from NBC4.com, here.

Refund fraud normally is a result of shoplifting, but when dealing with gift card fraud, we also need to include credit/debit card and check fraud. Retail fraudsters buy gift cards with their "bogus financial instruments" and then sell the cards for cash. Of course - they could be refunding merchandise bought with their bogus instruments - but it's easier (less work) for them to simply buy the "gift cards" and resell (fence) them.

Credit/debit card and check fraud are two activities that directly tie into "identity theft," which victimizes 9 million people a year in the United States, alone.

Besides the "indirect costs" we all pay - a lot of ordinary people become fraud victims after an encounter with a fraudster on an auction site. The Internet Crime Complaint Center cites auction fraud as their number one complaint and it keeps growing every year.

Besides placing yourself at risk - buying gift cards over the Internet - might be supporting the victimization of ordinary people and businesses alike!

NBC News did basically the same thing that Rob - Cockeyed.com blogger did - and got similar results:

From the NBC News story:

You think ripping up those credit card applications is enough to prevent identity theft? Think again.

Getting the credit card applications has never been the problem. It's what to do after they pile up that's the real consumer dilemma.

We've been warned for years-- if you don't want 'em, destroy 'em. However, ripping and tearing may no longer seem like enough.

With five applications, and a little muscle, we started ripping. Scotch taped them back together. And wrote around the tape- filling out the application the way an identity thief might if he'd been digging in our garbage.

And the results were a 60 percent success rate, or they got 3 brand new credit cards.

The official responses to how this happened by the credit card companies were:

In a statement, chase card services says it has "rigorous policies" for handling applications and a "special handling process" for the rare torn applications. In this case, however, "it is clear to us our procedures were not entirely followed for this particular application...and we are investigating."

For the two cards it issued, Bank of America, which merged with MBNA, says the applications "both went through the proper verification processes" and that "the signature, social security number and birth date matched" a (current) customer with excellent credit.

The company added that it sometimes sends cards to unrelated addresses as a convenience customers have requested.

Many of these institutions are claiming they have a "zero liability" for fraud - the reality is that we are all paying for it in the form of increased fees and interest rates.

After all - how would they stay in business otherwise?

A lot of them are also selling "identity theft products," which adds another revenue stream to their coffers. Some believe they have helped create this industry by not protecting their customer's information in a "responsible manner."

The conclusion of the NBC article was to "opt out" and of course - buy a good shredder.

You can opt out by calling 1-888-5-opt-out.

It's a shame that we all need to buy shredders and "opt out" to protect ourselves from "marketing practices" that victimize innocent people.

Sunday, November 12, 2006

No matter what expert you go to - phishing keeps increasing, both in the number of attacks and the amount of money stolen.

An example of this would be a recent story by Robert McMillian of IDG News Service. His story - quoting Gartner (a computer security research firm) - shows the dollar value has gone from $256.00 to $1244.00 per incident. Gartner is also claiming that the number of people victimized has risen from 1.9 million to 3.5 million. While most of the statistics are going up - there is one that isn't - the number of people recovering their money, which has gone down from 80 percent to 54 percent.

Please note, these are U.S. estimates - and to the best of my knowledge - the U.S. isn't the only one suffering.

Mr. Laudanski has an excellent point here and it's not only true when it comes to phishing - data breaches and even auction fraud (another two lucrative Internet crime activities), frequently are downplayed and or "not disclosed" to the public.

Gartner estimates that phishing costs the U.S. $2.8 billion, but if you were to listen to the FBI, cyber fraud is costing us about 70 billion. Of course - Phishing isn't the only cybercrime out there.

Tom Young (Computing) quoted FBI special agent Mike Eubanks as saying less than 5 percent of the big "Cyber Crooks" are ever caught.

Agent Eubanks also said:

"Each year in the US, $70bn (£37bn) is lost to cyber fraud, and the problem is getting bigger. Many of the criminals come from Russia, Ukraine and Romania. These people are specialists in malcode, as well as in covering their tracks. They communicate through email and chat forums."

"In a computer crime the data is stale within weeks, and the evidence is in many different areas, personal PCs, corporate databases, all over the world which makes it particularly difficult. The IT industry needs to work with law enforcement, and use it as a selling point. The industry can look to see if it is experiencing crime that police are seeing, and vice versa. We need to put together a network that facilitates the sharing of data to analyze global trends."

Until the private sector decides to stop worrying about law suits and bad press - this is going to continue to be a losing battle for the people trying to put a stop it. Maybe the companies - who aren't disclosing information would react sooner if legal action was taken against them for not doing so.

Of course, the only way to do this would be to institute effective laws.

We still don't have an effective federal law that addresses disclosure in these incidents - and some suspect that efforts to do so are being hampered by "special interests."

My opinion is that these companies and their special interests have long claimed they reimburse fraud victims. While this is true - there are many who aren't reimbursed - and that statistic (like all the others) is also going up. While some individuals might be getting reimbursed - the cost of all this is being passed to everyone - otherwise these companies would go "broke" pretty quickly.

Another thing to consider is that when a person's personal information is stolen and later used in identity theft, the odds are that no one will know exactly where the information got compromised. This is especially true, when no, or limited disclosure is given after a long internal investigation is the "norm."

And if we are to believe Mr. Laudanski and Special Agent Eubanks -- there is a lack of disclosure -- even to those attempting to go after the "bad guys" behind this activity.

It doesn't make sense not to help the people, who are protecting the public from criminal activity.

Unless something is done that serves the public interest instead of the private interest, the "Phishermen" will continue to reel in record catches and expand their activities.

Saturday, November 11, 2006

It contains more details on the arrests, which amazed me because the indictment was only for seven people being compromised. This is probably a testament on how difficult it is to pin people doing this down to a specific charge.

I also found a local story on "carder forums" that was done by CBS 13 in Sacramento, California. Not much new in this article that hasn't been reported before here, but it does have an interesting video (along with the article), here.

It's a shame that criminals are able to take advantage of borderless environments and a lack of laws to prevent these forums from operating.

We keep trying to fix these problems with technology, but until we fix the social problems - any "technological fix" is likely to be defeated in a short time by a "technological countermeasure."

After all - the human mind is much more powerful and adaptable - than any computer system developed so far.

Friday, November 10, 2006

I've had the opportunity to look at a lot of identity theft services, but until now - I've never run into one I considered "victim friendly."

I've written off most of the services I've seen -- either because they were financial services products (created by those who had compromised victims themselves) -- or they were selling nothing more than what could be accomplished by going to "free government sites."

Many of them also charge a monthly fee - just to "have the service," even if it is never used.

Another "big problem" is that all of them require that you surrender your personal information - which could in turn be stolen, or even worse sold as "marketing information."

Over the past several months, I've been in contact with Tom Fragala (CEO of Truston Corporation), who himself is a former "identity theft" victim and became a "victim's advocate" because of the experience.

Tom is launching his new product that helps the average person protect themselves from identity theft and recover from it if they become a statistic (victim).

Here is information about it - directly from the Truston site:

Truston helps make you safe from identity theft without putting your personal information at further risk.Our myTruston service is the only freecredit inspecting service available, helping you stop ID theft cold. And, we offer the only complete onlineID theft recovery helping you restore your good name (free until2007). Learn more»

I had the opportunity to test the system - and found it extremely easy to use. It even reminds you via e-mail when you have additional items to follow-up on.

Additionally, the methods used in this service were written by experts in the field - and based on my experience would be "extremely effective" in resolving a personal "identity theft" crisis.

If anyone is interested in being a "tester" for this new service, Tom's blog says there might be a few "golden tickets" left!

On a closing note, both Tom's blog and the Truston site have a lot of great information about "identity theft" and are a recommended read for anyone interested in the subject.

Thursday, November 09, 2006

Phishing is a scam involving e-mails sent with the intent to trick people into giving up personal information after clicking on a "link" to a bogus website designed to appear "legitimate." The information is then used to commit identity theft and a host of financial crimes. The latest "lure" being used is a Social Security cost of living increase.

The Social Security Administration announced today:

The Agency has received several reports of an email message being circulated with the subject “Cost-of-Living for 2007 update” and purporting to be from the Social Security Administration. The message provides information about the 3.3 percent benefit increase for 2007 and contains the following “NOTE: We now need you to update your personal information. If this is not completed by November 11, 2006, we will be forced to suspend your account indefinitely.” The reader is then directed to a website designed to look like Social Security’s Internet website.

This morning, I read a story in the San Jose Mercury about organized retail theft - which mentioned how shoplifting gangs are stocking up for the Christmas season.

The story quoted Joseph LaRocca, of the National Retail Federation:

"Goods stolen by organized or professional thieves are sometimes sold cheaply at flea markets, on street corners or in impromptu home boutiques, say retail security experts. They can end up as fraudulent returns to stores. And in a high-tech age, they can be "e-fenced'' on online auction sites."

Also mentioned was how gift cards are being bought and stolen with fraudulent checks and credit cards.

Not mentioned in the article is the fact that gift cards are also issued as refunds when someone doesn't have a receipt and that "hackers" have been able to load "blank cards" in the past.

And new "gift-card auction sites" seem to be popping up all over the Internet.

Marshall Loeb of MARKETWATCH recently did a story on these sites, which attributed this new trend to consumers not using up their old cards. While this might be true -- gift card fraud is nothing new -- and I have to wonder how many cards sold on these sites were the result of one fraudulent transaction, or another?

And even the article states that consumers should be wary:

Consumer advocates warn that you should be careful when doing business on these sites. There is virtually no way to avoid fraud completely; a seller could post and sell cards that have no value. Some sites have built in safeguards to prevent this from happening. CardAvenue.com, for example, validates cards listed at more than $100 and will cover up to $100 of a card's value if it proves to be a dud (you have to pay a $10 deductible, though).

After reading this, I had another thought, which was that eBay warns people all the time not to do off-eBay transactions, but they do anyway - and there are many of them who become fraud victims.

It's amazing what a few "too good to be true deals" will harvest in the way of victims.

Will we see the same thing on these "gift card sites?"

A couple of years ago - eBay limited the number of cards that could be sold by any one seller - as a result of all the fraud and some pressure by corporate victims (retailers).

Now - it seems - that these gift card sites are stepping into to fill the "void" left by eBay's change in policy.

A lot of these sites are too new to have developed a history, but given the history of gift cards being tied into fraud - it's probably a matter of time before we see problems.

I would strongly recommend that buyer's be careful (caveat emptor) and that the "retail industry and law enforcement" keep a "watchful eye" on these sites.

Of course - my guess - is that they already are!

A closing thought is that even if the cards work - if they were a result of a fraud transaction - we all end up paying for it in the end.

Businesses wouldn't stay in business otherwise.

If you are interested in how much gift card fraud there is out there, click on the title of this post.

I guess the not-so-good folks at Zango have decided to keep on with their misdeeds against Internet users.The good news is that there are "good guys and gals" watching out for the rest of us on the Internet.

Here's a warning from the "good folks" at Websense:

Websense® Security LabsTM has discovered a number of user pages on the MySpace domain which have videos that look like they are from You Tube. The videos have an installer embedded within them for the Zango Cash Toolbar. When users click on the video, they are directed to a copy of the video, which is hosted on a site called "Yootube.info."

I've written a lot about the various Advance Fee scams out there - and judging from my inbox - the lottery variation of the scam is huge.

I sometimes get four or five notifications that I've won a lottery, or sweepstakes, daily.

Last evening, I read an article written by Linda Leatherdale of the Toronto Sun about a grandmother losing a lot of her hard-earned money as a result of falling for them.

Linda Leatherdale writes:

But more than anything, she wanted to pay for a university education for her three grandchildren. So she entered the sweepstakes.

Lo and behold, a few months later she received a letter that she had won. Ecstatic, she read what she believed to be an authentic lottery letter, which asked her to sendin $25 to collect her prize.

CASH MAILED OFF

Not trusting giving out personal financial information, via cheques or credit cards, she sent cash. Then other letters arrived -- from the U.S., Australia, New Zealand and other parts of the world. Some invited her to play a new lottery, others said she'd won and to send money to collect her prize.

I've seen the lottery scams, where a high-dollar financial instrument is mailed to the "intended victim," along with instructions to wire the money back - but mailing the smaller amounts ($25 to $50) was an activity that was new to me.

With Spam software that sends these "winner notifications" by the millions - I can see, where this could be a lucrative enterprise for the fraudsters behind this.

I guess the moral of the story is to look for the behavior. I've never won the lottery (I play Mega Millions sometimes) - but if I did - I doubt anyone would be asking me to send money.

It would probably be the other way around, or they would be sending me money!

Linda's article mentions "Phonebusters" as a good resource to educate people on Internet scams. I agree and you can link to them, here.

Saturday, November 04, 2006

In late May, I did a post about the Jefferson scandal - where money was discovered in a freezer - that was allegedly "earmarked" for the Vice President of Nigeria, Abubakar Atiku.

At the time, Vice President Atiku stated "that Jefferson was name dropping and obviously committing a 419 (Nigerian Penal Code for Advance Fee) scam."

For anyone that is unfamiliar with advance fee (419):

"Nigeria is one of main sources for all sorts of Advance fee fraud (419) fraud scams. The Advance Fee scam is where a ruse is used to get a victim to part with their money (nowadays normally via wire-transfer) in anticipation of riches (or sometimes love) to come. The best known is the "Nigerian Letter," but the activity has mutated into romance, lottery, auction, check cashing, work at home and reshipping scams."

Acting on information provided by the FBI, Nigerian fraud investigators have now indicted Vice President Atiku Abubakar on 14 counts of corruption, involving tens of millions of dollars allegedly diverted from government accounts.

According to Nuhu Ribadu, head of a new anti-corruption squad created by Nigeria's president, $23 million of the diverted money is still missing. Ribadu said $6.7 million of the missing funds has been traced to a U.S. company tied to Congressman Jefferson's family.

Meanwhile both Congressman Jefferson and Vice-President Atiku still deny everything and Mr. Jefferson -- who is running for re-election -- has yet to be charged.

In the original AP story, two of Jefferson's associates have been found guilty of bribery and admitted giving Jefferson other money to bribe African officials. The story also reports some pretty "damning" statements Jefferson made while being taped without his knowledge.

I wonder if and when he (Jefferson) will be charged - $90,000.00 in a freezer is a little hard to explain - even if it is a drop in the bucket when compared to the 6.7 million alleged by the Nigerian investigation.

The EFCC site has a lot of coverage (from a Nigerian perspective) on Mr. Atiku's woes.

Of note - Jefferson has lost the support of the Louisiana Democratic Party, which seems a wise move on their part.

Nigerian fraud is legendary on the Internet - and the EFCC has had a lot of success in "taking a bite" out of it. Here is a picture of Nuhu Ribadhu, who is in charge of the EFCC and managed the Nigerian part of this investigation:

Since most fraud today has a global reach, some might argue the EFCC is stopping people from being victimized, worldwide.

Paul Young "Digging a little Deeper" inspired my original post on Zango. Having had my now (Mac Techie) daughter download Kazaa a few years back - I "ran away" (fast) whenever I spotted Zango while surfing.

Now the FTC has responded (undoubtedly to massive complaints) and smacked Zango with a civil judgment.

From the FTC news release:

Zango, Inc., formerly known as 180solutions, Inc., one of the world's largest distributors of adware, and two principals have agreed to settle Federal Trade Commission charges that they used unfair and deceptive methods to download adware and obstruct consumers from removing it, in violation of federal law. The settlement bars future downloads of Zango's adware without consumers' consent, requires Zango to provide a way for consumers to remove the adware, and requires them to give up $3 million in ill-gotten gains.

"Consumers' computers belong to them, and they shouldn't have to accept any content they don't want," said Lydia Parnes, Director of the FTC's Bureau of Consumer Protection. "If consumers choose to receive pop-up ads, so be it. But it violates federal law to secretly install software that forces consumers to get pop-ups that disrupt their computer use."

Now Starbucks has joined their list by compromising their "own." Four laptops have mysteriously "gone missing" from their corporate headquarters - two of them contained the information of 60,000 "partners" (employees).

My question is - what was on the other two?

In keeping with keeping these breaches as quiet as possible, it's being reported that Starbucks has been looking for the missing laptops since September.

And of course, the official spin from Valerie O'Neil, their spokesperson is, "The company has not received any reports that anyone's personal information has been compromised."

Ms. O'Neil, there might be a reason for this - Thomas Harkins - who was operations director for MasterCard International's fraud division for about twenty years (now COO of the security firm Edentify) told TopTech news:

"There's so many stolen identities in criminals' hands that (identity theft) could easily rise 20 times." "The criminals are still trying to figure out what to do with all the data."

Since "good identities" fetch a measly $10.00 (estimate) each in these carder forums, the "insider" - who is more than likely responsible for this - could make quite a bit of money for their misdeed.

Ms. O'Neil also stated that we don't have to worry about any secret recipe's being on the stolen laptops. Please note the news account stated she "chuckled" when saying this.

Does this mean that Starbucks values their recipes more than their employees? Would they leave recipes "unattended" on outdated laptops gathering dust in a closet?

Missing laptops are a common theme in data breaches and with all the previously reported breaches, the entire affair bespeaks a lack of "common sense" when it comes to security.

After all - most of these breaches we read about could have been avoided - with a little "common sense."

So far as the victims of all this - the employees compromised - the FTC has a lot of good information on what you should do to protect yourself, here.

To read the press version of this story from the AP (courtesy of the Washington Post), click on the title of this post.

Today on Pogowasright.org, I was led to an article by Brian Krebs of the Washington Post - which had (in my opinion) some great news.

Brian is reporting:

"The FBI is cracking down on an international identity theft operation that involves the trading of social security numbers; the sale of stolen credit card account information; and phishing, the practice of using e-mail to trick consumers into handing over personal information, authorities said yesterday."

"Called Operation Cardkeeper, the investigation has brought about the arrests of more than a dozen people in the United States and other countries who are members of online communities that specialize in "carding," the trafficking of stolen identities and credit card and bank account information."

Let's hope that this operation is a BIG success and more arrests are forthcoming!

I've never completely trusted statistics - especially those quoting how many people have had their identities stolen. For one, I've never seen a worldwide estimate and with the global reach of the Internet - identity theft and cybercrime have become a "borderless" activity.

Another problem is that businesses are frequently reluctant to fully disclose breaches and many victims never report the crimes, or give up in the "frustrating process" of trying to find somewhere to report it.

Nonetheless some of the trends are scary and security experts in the United Kingdom are predicting we haven't seen the worst of it yet.

Veronique De Freitas of WebUser is reporting:

Experts have warned of a dramatic increase in online ID theft across the UK. Organised criminal gangs are using the internet to steal computer users' identities, which can be worth more than £85,000, a new study has revealed.

Identity theft experts Garlik claim that ID theft will be worth £4bn by 2010 and will affect 200,000 internet users every year, doubling the amount it currently affects.

I've seen other stories that "downplay" the amount of organized crime and use of technology involved in credit card fraud and identity theft, but according to Garlik:

“Our study shows organised criminals are responsible for 75 per cent of credit card fraud and are rapidly moving into identity theft. These 'identity brokers' harvest data from online sources and use the information to manufacture and steal identities for criminal misuse,” said Tom Ilube, CEO of Garlik.

Here's a pretty bizarre story - the CEO of "Compulinx" used the identities of his employees to open fraudulent credit accounts.

Chris Gonsalves of VARBusiness reports:

"Federal law enforcement officials Tuesday arrested the well-known CEO of White Plains, N.Y.-based MSP provider Compulinx on charges of stealing the identities of his employees in order to secure fraudulent loans, lines of credit and credit cards, according to an eight-count indictment unsealed by the U.S. Attorney's office in White Plains."

Thursday, November 02, 2006

The retail industry is sending out a subtle message to the public - hold on to your receipts if you want a "problem free" refund this upcoming Christmas season!

Michele Chandler of the Mercury News is reporting:

Retailers stand to lose $3.5 billion from returns fraud during the holidays this year, according to a survey released today by the National Retail Foundation.

Criminals are increasingly taking advantage of the holiday bustle and retailers' return policies to get cash for stolen merchandise or return items for a refund after they've been used, according to the first survey on returns fraud by the industry group.

For the year, retailers could lose a total of $9.6 billion because of the practice.

I do firmly believe this is a "BIG" problem, but what isn't mentioned in these surveys and news articles is that a lot of refund fraud comes from within, or is the result of an "inside job."

Quite simply - one of the easiest ways for a dishonest employee to steal cash is to do a fraudulent refund and pocket the proceeds. That way a "cash shortage" doesn't show up in their till.

Another recent concern is the amount of personal information to issue these refunds. Storing all this information could create the risk of data breaches - and as I have written before - the insiders and professionals routinely use "other people's information" to get past all these security procedures.

Bottom line is the "message is clear from the retail industry" -- honest people better hold on to their receipts if they expect to get a refund.

I'm glad the industry is protecting themselves and hope they are taking measures to protect the customers who aren't stealing by using good judgment and protecting all the information they are maintaining in databases.

I also hope this will allow them to focus their security resources on "insiders," who might be a big part of the problem. Whenever people steal, the cost is passed on to all of us.

As for my recommendation - hold on to your receipts and be careful of what information you give out that gets stored in data bases!

On a lighter note, it might surprise you who is behind retail refund fraud, here is a previous post on someone, who surprised a lot of people:

TechWeb did an interesting article with the specifics of Microsoft's latest legal actions, here.

In reality counterfeits are being sold on numerous auction sites, flea markets and even retail outlets. The Arizona Republic recently reported about how counterfeits are being smuggled across the border in massive amounts.

Interestingly enough, they mentioned "pirated software" being sold right on the streets:

Outside Computer Plaza, an electronics bazaar downtown, street hawkers carry binders full of pirated software. They will even help install the software on laptops. Adobe Photoshop, which costs $650 in the United States, can be bought outside Computer Plaza for 40 pesos, or $4.

The sad truth is that although some people buy counterfeit merchandise (knowingly) - some of it looks so much like the real thing - there are a lot of people, who might actually believe they are getting the genuine product.

There is no telling what can come "bundled" in a counterfeit software package. Malware and crimeware could easily be installed in a system in this manner, along with other "problematic" software applications.

So just as one might get sick from drinking "counterfeit scotch," a computer could come down with a "nasty" virus from installing counterfeit software.

And there is something more personal to worry about -- if crimeware was to be installed in this manner -- the end result of this illness might very well be a person's financial resources and something more important, their identity.

So far as the Microsoft approach to attacking counterfeiting - it is far more realistic in my opinion (going after the source) - and (perhaps) spending financial resources doing this will be a service not only to Microsoft, but the public-at-large, also!